“Intrusion detection system”的意思、由来-开放百科全书

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources, and uses alarm filtering techniques to distinguish malicious activity from false alarms.^[1]

IDS types range in scope from single computers to large networks.^[2] The most common classifications are network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). A system that monitors important operating system files is an example of an HIDS, while a system that analyzes incoming network traffic is an example of an NIDS. It is also possible to classify IDS by detection approach: the most well-known variants are signature-based detection (recognizing bad patterns, such as malware); and anomaly-based detection (detecting deviations from a model of "good" traffic, which often relies on machine learning). Some IDS products have the ability to respond to detected intrusions. Systems with response capabilities are typically referred to as an intrusion prevention system.^[3] Intrusion detection systems can also serve specific purposes by augmenting them with custom tools, such as using a honeypot to attract and characterize malicious traffic.^[4]

Comparison with firewalls

Although they both relate to network security, an IDS differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS describes a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system that terminates connections is called an intrusion prevention system, and performs access control like an application layer firewall.^[5]

Intrusion detection

IDS can be classified by where detection takes place (network or host) and the detection method that is employed (signature or anomaly-based).^[6]

For IDS related to Wireless Sensor Networks (WSNs), readers may refer to Butun et al.'s ^[7] work.

Analyzed activity

Network intrusion detection systems

Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. An example of an NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. Ideally one would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network. OPNET and NetSim are commonly used tools for simulating network intrusion detection systems. NID Systems are also capable of comparing signatures for similar packets to link and drop harmful detected packets which have a signature matching the records in the NIDS.

When we classify the design of the NIDS according to the system interactivity property, there are two types: on-line and off-line NIDS, often referred to as inline and tap mode, respectively. On-line NIDS deals with the network in real time. It analyses the Ethernet packets and applies some rules, to decide if it is an attack or not. Off-line NIDS deals with stored data and passes it through some processes to decide if it is an attack or not.

NIDS can be also combined with other technologies to increase detection, and prediction, rates. Artificial Neural Network based IDS are capable of analyzing huge volumes of data, in a smart way, due to the self-organizing structure that allows INS IDS to more efficiently recognize intrusion patterns^[8]. Neural networks assist IDS in predicting attacks by learning from mistakes; INN IDS help develop an early warning system, based on two layers. The first layer accepts single values, while the second layer takes the first's layers output as input; the cycle repeats and allows the system to automatically recognize new unforeseen patterns in the network^[9]. This system can average 99.9% detection and classification rate, based on research results of 24 network attacks, divided in four categories: DOS, Probe, Remote-to-Local, and user-to-root.^[10]

Host intrusion detection systems

Host intrusion detection systems (HIDS) run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected. It takes a snapshot of existing system files and matches it to the previous snapshot. If the critical system files were modified or deleted, an alert is sent to the administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which are not expected to change their configurations.^[11]^[12]

Detection method

Signature-based

Signature-based IDS refers to the detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.^[13] This terminology originates from anti-virus software, which refers to these detected patterns as signatures. Although signature-based IDS can easily detect known attacks, it is difficult to detect new attacks, for which no pattern is available.^[14]

In Signature-based IDS, the signatures are released by a vendor for its all products. On-time updating of the IDS with the signature is a key aspect.

Anomaly-based

New types of what could be called anomaly-based intrusion detection systems are being viewed by Gartner as User and Entity Behavior Analytics (UEBA)^[16] (an evolution of the user behavior analytics category) and network traffic analysis (NTA).^[17] In particular, NTA deals with malicious insiders as well as targeted external attacks that have compromised a user machine or account. Gartner has noted that some organizations have opted for NTA over more traditional IDS.^[18]

Intrusion prevention

Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPS for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPS have become a necessary addition to the security infrastructure of nearly every organization.^[19]

IDPS typically record information related to observed events, notify security administrators of important observed events and produce reports. Many IDPS can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g. reconfiguring a firewall) or changing the attack's content.^[19]

Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, report it and attempt to block or stop it.{{r|GIDPS}}.

Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent or block intrusions that are detected.{{r|Newman2009|page1=273|WhitmanMattord2009|page2=289}} IPS can take such actions as sending an alarm, dropping detected malicious packets, resetting a connection or blocking traffic from the offending IP address.{{r|Boyles2010}} An IPS also can correct {{nobr|cyclic redundancy check (CRC)}} errors, defragment packet streams, mitigate TCP sequencing issues, and clean up unwanted transport and network layer options.{{r|Newman2009|page1=278|TiptonKrause2007}}.

Classification

Intrusion prevention systems can be classified into four different types:{{r|GIDPS|Vacca2010}}

Detection methods

The majority of intrusion prevention systems utilize one of three detection methods: signature-based, statistical anomaly-based, and stateful protocol analysis.{{r|WhitmanMattord2009|page1=301|KirdaJha2009}}

Limitations

Evasion techniques

There are a number of techniques which attackers are using, the following are considered 'simple' measures which can be taken to evade IDS:

Development

The earliest preliminary IDS concept was delineated in 1980 by James Anderson at the National Security Agency and consisted of a set of tools intended to help administrators review audit trails.^[23] User access logs, file access logs, and system event logs are examples of audit trails.

The Multics intrusion detection and alerting system (MIDAS), an expert system using P-BEST and Lisp, was developed in 1988 based on the work of Denning and Neumann.^[28] Haystack was also developed in that year using statistics to reduce audit trails.^[29]

In 1986 the National Security Agency started an IDS research transfer program under Rebecca Bace. Bace later published the seminal text on the subject, Intrusion Detection, in 2000.^[30]

Wisdom & Sense (W&S) was a statistics-based anomaly detector developed in 1989 at the Los Alamos National Laboratory.^[31] W&S created rules based on statistical analysis, and then used those rules for anomaly detection.

In 1990, the Time-based Inductive Machine (TIM) did anomaly detection using inductive learning of sequential user patterns in Common Lisp on a VAX 3500 computer.^[32] The Network Security Monitor (NSM) performed masking on access matrices for anomaly detection on a Sun-3/50 workstation.^[33] The Information Security Officer's Assistant (ISOA) was a 1990 prototype that considered a variety of strategies including statistics, a profile checker, and an expert system.^[34] ComputerWatch at AT&T Bell Labs used statistics and rules for audit data reduction and intrusion detection.^[35]

Then, in 1991, researchers at the University of California, Davis created a prototype Distributed Intrusion Detection System (DIDS), which was also an expert system.^[36] The Network Anomaly Detection and Intrusion Reporter (NADIR), also in 1991, was a prototype IDS developed at the Los Alamos National Laboratory's Integrated Computing Network (ICN), and was heavily influenced by the work of Denning and Lunt.^[37] NADIR used a statistics-based anomaly detector and an expert system.

The Lawrence Berkeley National Laboratory announced Bro in 1998, which used its own rule language for packet analysis from libpcap data.^[38] Network Flight Recorder (NFR) in 1999 also used libpcap.^[39]

APE was developed as a packet sniffer, also using libpcap, in November, 1998, and was renamed Snort one month later. Snort has since become the world's largest used IDS/IPS system with over 300,000 active users.^[40] It can monitor both local systems, and remote capture points using the TZSP protocol.

The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump to build profiles of rules for classifications.^[41] In 2003, Yongguang Zhang and Wenke Lee argue for the importance of IDS in networks with mobile nodes.^[42]

In 2015, Viegas and his colleagues ^[43] proposed an anomaly-based intrusion detection engine, aiming System-on-Chip (SoC) for applications in Internet of Things (IoT), for instance. The proposal applies machine learning for anomaly detection, providing energy-efficiency to a Decision Tree, Naive-Bayes, and k-Nearest Neighbors classifiers implementation in an Atom CPU and its hardware-friendly implementation in a FPGA.^[44]^[45] In the literature, this was the first work that implement each classifier equivalently in software and hardware and measures its energy consumption on both. Additionally, it was the first time that was measured the energy consumption for extracting each features used to make the network packet classification, implemented in software and hardware.^[46]

Free and open source systems

See also

References

1. ^{{Cite book|url=https://books.google.com/books?id=klE8DwAAQBAJ&lpg=PA31&dq=siem%20alarm%20filtering&pg=PA31#v=onepage&q=siem%20alarm%20filtering&f=false|title=Cyber and Chemical, Biological, Radiological, Nuclear, Explosives Challenges: Threats and Counter Efforts|last=Martellini|first=Maurizio|last2=Malizia|first2=Andrea|date=2017-10-30|publisher=Springer|isbn=9783319621081|language=en}}
2. ^ Axelsson, S (2000). "Intrusion Detection Systems: A Survey and Taxonomy" (retrieved 21 May 2018)
3. ^{{Cite book|url=https://books.google.com/books?id=_R5ndK-i3vkC&lpg=PA266&dq=%22intrusion%20prevention%20system%22%20AND%20(reaction%20OR%20reactive)&pg=PA266#v=onepage&q=%22intrusion%20prevention%20system%22%20AND%20(reaction%20OR%20reactive)&f=false|title=Computer Security: Protecting Digital Resources|last=Newman|first=Robert|date=2009-06-23|publisher=Jones & Bartlett Learning|isbn=9780763759940|language=en}}
4. ^{{Cite book|url=https://books.google.com/books?id=lPQYCwAAQBAJ&lpg=PA122&dq=IDS%20honeypot&pg=PA122#v=onepage&q=IDS%20honeypot&f=false|title=Honeypots and Routers: Collecting Internet Attacks|last=Mohammed|first=Mohssen|last2=Rehman|first2=Habib-ur|date=2015-12-02|publisher=CRC Press|isbn=9781498702201|language=en}}
5. ^{{Cite book|url=https://books.google.com/books?id=ebbwmOFWvR8C&lpg=PA46&dq=%22intrusion%20prevention%20system%22%20AND%20%22application%20layer%20firewall%22&pg=PA46#v=onepage&q=%22intrusion%20prevention%20system%22%20AND%20%22application%20layer%20firewall%22&f=false|title=Network and System Security|last=Vacca|first=John R.|date=2013-08-26|publisher=Elsevier|isbn=9780124166950|language=en}}
6. ^{{Cite book|url=https://books.google.com/books?id=TnE85sckwMAC&lpg=PA64&dq=IDS%20network%20host%20signature&pg=PA64#v=onepage&q=IDS%20network%20host%20signature&f=false|title=Computer and Information Security Handbook|last=Vacca|first=John R.|date=2009-05-04|publisher=Morgan Kaufmann|isbn=9780080921945|language=en}}
7. ^{{Cite journal|last=Butun|first=Ismail|last2=Morgera|first2=Salvatore D.|last3=Sankar|first3=Ravi|date=2014|title=A Survey of Intrusion Detection Systems in Wireless Sensor Networks|journal=IEEE Communications Surveys & Tutorials|language=en-US|volume=16|issue=1|pages=266–282|doi=10.1109/surv.2013.050113.00191|issn=1553-877X}}
8. ^{{Cite book|last=Garzia|first=Fabio|last2=Lombardi|first2=Mara|last3=Ramalingam|first3=Soodamani|date=2017|title=An integrated internet of everything — Genetic algorithms controller — Artificial neural networks framework for security/safety systems management and support|journal=2017 International Carnahan Conference on Security Technology (ICCST)|language=en-US|publisher=IEEE|volume=|pages=|doi=10.1109/ccst.2017.8167863|isbn=9781538615850}}
9. ^{{Cite book|last=Vilela|first=Douglas W. F. L.|last2=Lotufo|first2=Anna Diva P.|last3=Santos|first3=Carlos R.|date=2018|title=Fuzzy ARTMAP Neural Network IDS Evaluation applied for real IEEE 802.11w data base|journal=2018 International Joint Conference on Neural Networks (IJCNN)|language=en-US|publisher=IEEE|volume=|pages=|doi=10.1109/ijcnn.2018.8489217|isbn=9781509060146}}
10. ^{{Cite book|last=Dias|first=L. P.|last2=Cerqueira|first2=J. J. F.|last3=Assis|first3=K. D. R.|last4=Almeida|first4=R. C.|date=2017|title=Using artificial neural network in intrusion detection systems to computer networks|journal=2017 9th Computer Science and Electronic Engineering (CEEC)|language=en-US|publisher=IEEE|volume=|pages=|doi=10.1109/ceec.2017.8101615|isbn=9781538630075}}
11. ^{{Cite book|url=https://books.google.com/books?id=6BgEAAAAMBAJ&lpg=PT30&dq=host%20IDS%20%22mission%20critical%22&pg=PT30#v=onepage&q=host%20IDS%20%22mission%20critical%22&f=false|title=Network World|last=Inc|first=IDG Network World|date=2003-09-15|publisher=IDG Network World Inc|language=en}}
12. ^{{Cite book|url=https://books.google.com/books?id=3iiLDQAAQBAJ&lpg=PT118&dq=hids%20%22mission%20critical%22&pg=PT118#v=onepage&q=hids%20%22mission%20critical%22&f=false|title=Network and Data Security for Non-Engineers|last=Groom|first=Frank M.|last2=Groom|first2=Kevin|last3=Jones|first3=Stephan S.|date=2016-08-19|publisher=CRC Press|isbn=9781315350219|language=en}}
13. ^{{cite web |url=http://www.iup.edu/WorkArea/DownloadAsset.aspx?id=81109 |website=www.iup.edu |format=PPT |author=Brandon Lokesak |date=December 4, 2008 |title=A Comparison Between Signature Based and Anomaly Based Intrusion Detection Systems}}
14. ^{{Cite book|url=https://books.google.com/books?id=dHys9OXMFMIC&lpg=PA86&dq=signature%20IDS%20disadvantage&pg=PA86#v=onepage&q=signature%20IDS%20disadvantage&f=false|title=Network Security: Current Status and Future Directions|last=Douligeris|first=Christos|last2=Serpanos|first2=Dimitrios N.|date=2007-02-09|publisher=John Wiley & Sons|isbn=9780470099735|language=en}}
15. ^{{cite journal|last=Rowayda|first=A. Sadek|author2=M Sami, Soliman|author3=Hagar, S Elsayed|title=Effective anomaly intrusion detection system based on neural network with indicator variable and rough set reduction|journal= International Journal of Computer Science Issues (IJCSI)|date=November 2013|volume=10|issue=6}}
16. ^{{Cite web|url=https://www.gartner.com/doc/3134524?ref=SiteSearch&sthkw=avivah%20litan&fnl=search&srcId=1-3478922254|title=Gartner report: Market Guide for User and Entity Behavior Analytics|last=|first=|date=September 2015|website=|publisher=|access-date=}}
17. ^{{Cite web|url=https://www.gartner.com/doc/3367417?ref=SiteSearch&sthkw=hype%20cycle%20for%20infrastructure&fnl=search&srcId=1-3478922254|title=Gartner: Hype Cycle for Infrastructure Protection, 2016|last=|first=|date=|website=|publisher=|access-date=}}
18. ^{{Cite web|url=https://www.gartner.com/doc/3449317?ref=SiteSearch&sthkw=intrusion%20detection&fnl=search&srcId=1-3478922254|title=Gartner: Defining Intrusion Detection and Prevention Systems|last=|first=|date=|website=|publisher=|access-date=2016-09-20}}
19. ^¹{{cite journal |url=http://csrc.ncsl.nist.gov/publications/nistpubs/800-94/SP800-94.pdf |title=Guide to Intrusion Detection and Prevention Systems (IDPS) |first1=Karen |last1=Scarfone |first2=Peter |last2=Mell |journal=Computer Security Resource Center |issue=800–94 |accessdate=1 January 2010 |date=February 2007}}
20. ^¹{{cite book |last1 = nitin. |first2 = verma |last2 = Mattord |title = Principles of Information Security |pages = 290–301 |publisher = Course Technology |year = 2008 |isbn = 978-1-4239-0177-8}}
21. ^¹²{{cite book |last1 = Anderson |first1 = Ross |title = Security Engineering: A Guide to Building Dependable Distributed Systems |location = New York |publisher = John Wiley & Sons |year = 2001 |pages = 387–388 |isbn = 978-0-471-38922-4}}
22. ^http://www.giac.org/paper/gsec/235/limitations-network-intrusion-detection/100739
23. ^Anderson, James P., "Computer Security Threat Monitoring and Surveillance," Washing, PA, James P. Anderson Co., 1980.
24. ^{{cite journal |author1=David M. Chess |author2=Steve R. White |journal=Proceedings of Virus Bulletin Conference |title=An Undetectable Computer Virus |date=2000 |citeseerx=10.1.1.25.1508 }}
25. ^Denning, Dorothy E., "An Intrusion Detection Model," Proceedings of the Seventh IEEE Symposium on Security and Privacy, May 1986, pages 119–131
26. ^Lunt, Teresa F., "IDES: An Intelligent System for Detecting Intruders," Proceedings of the Symposium on Computer Security; Threats, and Countermeasures; Rome, Italy, November 22–23, 1990, pages 110–121.
27. ^Lunt, Teresa F., "Detecting Intruders in Computer Systems," 1993 Conference on Auditing and Computer Technology, SRI International
28. ^Sebring, Michael M., and Whitehurst, R. Alan., "Expert Systems in Intrusion Detection: A Case Study," The 11th National Computer Security Conference, October, 1988
29. ^Smaha, Stephen E., "Haystack: An Intrusion Detection System," The Fourth Aerospace Computer Security Applications Conference, Orlando, FL, December, 1988
30. ^{{cite journal|last1=McGraw|first1=Gary|title=Silver Bullet Talks with Becky Bace|journal=IEEE Security & Privacy Magazine|date=May 2007|volume=5|issue=3|pages=6–9|doi=10.1109/MSP.2007.70|url=https://www.cigital.com/silver-bullet-files/shows/silverbullet-012-bbace.pdf|accessdate=18 April 2017}}
31. ^Vaccaro, H.S., and Liepins, G.E., "Detection of Anomalous Computer Session Activity," The 1989 IEEE Symposium on Security and Privacy, May, 1989
32. ^Teng, Henry S., Chen, Kaihu, and Lu, Stephen C-Y, "Adaptive Real-time Anomaly Detection Using Inductively Generated Sequential Patterns," 1990 IEEE Symposium on Security and Privacy
33. ^Heberlein, L. Todd, Dias, Gihan V., Levitt, Karl N., Mukherjee, Biswanath, Wood, Jeff, and Wolber, David, "A Network Security Monitor," 1990 Symposium on Research in Security and Privacy, Oakland, CA, pages 296–304
34. ^Winkeler, J.R., "A UNIX Prototype for Intrusion and Anomaly Detection in Secure Networks," The Thirteenth National Computer Security Conference, Washington, DC., pages 115–124, 1990
35. ^Dowell, Cheri, and Ramstedt, Paul, "The ComputerWatch Data Reduction Tool," Proceedings of the 13th National Computer Security Conference, Washington, D.C., 1990
36. ^Snapp, Steven R, Brentano, James, Dias, Gihan V., Goan, Terrance L., Heberlein, L. Todd, Ho, Che-Lin, Levitt, Karl N., Mukherjee, Biswanath, Smaha, Stephen E., Grance, Tim, Teal, Daniel M. and Mansur, Doug, "DIDS (Distributed Intrusion Detection System) -- Motivation, Architecture, and An Early Prototype," The 14th National Computer Security Conference, October, 1991, pages 167–176.
37. ^Jackson, Kathleen, DuBois, David H., and Stallings, Cathy A., "A Phased Approach to Network Intrusion Detection," 14th National Computing Security Conference, 1991
38. ^Paxson, Vern, "Bro: A System for Detecting Network Intruders in Real-Time," Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, 1998
39. ^Amoroso, Edward, "Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response," Intrusion.Net Books, Sparta, New Jersey, 1999, {{ISBN|0-9666700-7-8}}
40. ^Kohlenberg, Toby (Ed.), Alder, Raven, Carter, Dr. Everett F. (Skip), Jr., Esler, Joel., Foster, James C., Jonkman Marty, Raffael, and Poor, Mike, "Snort IDS and IPS Toolkit," Syngress, 2007, {{ISBN|978-1-59749-099-3}}
41. ^Barbara, Daniel, Couto, Julia, Jajodia, Sushil, Popyack, Leonard, and Wu, Ningning, "ADAM: Detecting Intrusions by Data Mining," Proceedings of the IEEE Workshop on Information Assurance and Security, West Point, NY, June 5–6, 2001
42. ^Intrusion Detection Techniques for Mobile Wireless Networks, ACM WINET 2003
43. ^{{Cite journal|last=Viegas|first=E.|last2=Santin|first2=A. O.|last3=Fran?a|first3=A.|last4=Jasinski|first4=R.|last5=Pedroni|first5=V. A.|last6=Oliveira|first6=L. S.|date=2017-01-01|title=Towards an Energy-Efficient Anomaly-Based Intrusion Detection Engine for Embedded Systems|url=http://ieeexplore.ieee.org/document/7463065/|journal=IEEE Transactions on Computers|volume=66|issue=1|pages=163–177|doi=10.1109/TC.2016.2560839|issn=0018-9340}}
44. ^{{Cite book|last=França|first=A. L.|last2=Jasinski|first2=R.|last3=Cemin|first3=P.|last4=Pedroni|first4=V. A.|last5=Santin|first5=A. O.|date=2015-05-01|title=The energy cost of network security: A hardware vs. software comparison|url=http://ieeexplore.ieee.org/document/7168575/|journal=2015 IEEE International Symposium on Circuits and Systems (ISCAS)|pages=81–84|doi=10.1109/ISCAS.2015.7168575|isbn=978-1-4799-8391-9}}
45. ^{{Cite book|last=França|first=A. L. P. d|last2=Jasinski|first2=R. P.|last3=Pedroni|first3=V. A.|last4=Santin|first4=A. O.|date=2014-07-01|title=Moving Network Protection from Software to Hardware: An Energy Efficiency Analysis|url=http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6903406|journal=2014 IEEE Computer Society Annual Symposium on VLSI|pages=456–461|doi=10.1109/ISVLSI.2014.89|isbn=978-1-4799-3765-3}}
46. ^{{Cite web|url=https://secplab.ppgia.pucpr.br/files/papers/2016-1.pdf|title=Towards an Energy-Efficient Anomaly-Based Intrusion Detection Engine for Embedded Systems|date=|website=SecPLab|access-date=}}
47. ^{{cite book | author=Robert C. Newman | title=Computer Security: Protecting Digital Resources | url=https://books.google.com/books?id=RgSBGXKXuzsC | accessdate=25 June 2010 | date=19 February 2009 | publisher=Jones & Bartlett Learning | isbn=978-0-7637-5994-0}}
48. ^{{cite book | author1=Michael E. Whitman | author2=Herbert J. Mattord | title=Principles of Information Security | url=https://books.google.com/books?id=gPonBssSm0kC | accessdate=25 June 2010 | year=2009 | publisher=Cengage Learning EMEA | isbn=978-1-4239-0177-8}}
49. ^{{cite book | author=Tim Boyles | title=CCNA Security Study Guide: Exam 640-553 | url=https://books.google.com/books?id=AHzAcvHWbx4C&pg=PA249 | accessdate=29 June 2010 | year=2010 | publisher=John Wiley and Sons | isbn=978-0-470-52767-2 | page=249}}
50. ^{{cite book | author1=Harold F. Tipton | author2=Micki Krause | title=Information Security Management Handbook | url=https://books.google.com/books?id=B0Lwc6ZEQhcC&pg=PA1000 | accessdate=29 June 2010 | year=2007 | publisher=CRC Press | isbn=978-1-4200-1358-0 | page=1000}}
51. ^{{cite book | author=John R. Vacca | title=Managing Information Security | url=https://books.google.com/books?id=uwKkb-kpmksC&pg=PA137 | accessdate=29 June 2010 | year=2010 | publisher=Syngress | isbn=978-1-59749-533-2 | page=137}}
52. ^{{cite book | author1=Engin Kirda | author2=Somesh Jha | author3=Davide Balzarotti | title=Recent Advances in Intrusion Detection: 12th International Symposium, RAID 2009, Saint-Malo, France, September 23–25, 2009, Proceedings | url=https://books.google.com/books?id=DVuQbKQM3UwC&pg=PA162 | accessdate=29 June 2010 | year=2009 | publisher=Springer | isbn=978-3-642-04341-3 | page=162}}

Comparison with firewalls